Inside Out Bloghttp://inside-out.xyz/tag/48-security.html
Tue, 20 Mar 2018 00:14:37 -0400Joomla! - Open Source Content Managementen-gbdaniel.lucio@inside-out.xyz (Inside Out Blog)Redirects HTTP to HTTPS but localhosthttp://inside-out.xyz/technology/redirects-http-to-https-but-localhost.html
http://inside-out.xyz/technology/redirects-http-to-https-but-localhost.htmlIn the long journey of security, moving from HTTP to HTTPS is one of the many steps you will need to do. So, the first question is: why you just don't close port 80/tcp? Answer is more a SEO matter than a security one; if you close the port 80/tcp, when Google and any other indexing engine will try to contact you, it will time-out. This, at Google's eyes means an off-line server; an off-line server is a candidate to be taken out of the indexing.

Doing a proper redirection, for example from http://inside-out.xyz/path/script.php?parameters to https://inside-out.xyz/path/script.php?parameters is the correct way. Google will understand the HTTP error code 301 and it will reindex you with the correct URL.

This will allow HTTP redirection for all queries but those who come to IP 127.0.0.x. You can play with the regular expresion to do exceptions.

Remember to modify Apache's configuration in the <Directory> tag to allow all to be overwritten.

Enjoy!

]]>Redirects HTTP to HTTPS but localhostWed, 18 Nov 2015 22:34:46 -0500Changing Joomla Authentication Schema to clearhttp://inside-out.xyz/technology/changing-joomla-authentication-schema-to-clear.html
http://inside-out.xyz/technology/changing-joomla-authentication-schema-to-clear.htmlUnfortunately Joomla from version 1.5 (which I've noticed, and probably 1.0 as well) does not save your encrypted passwords hop classic format: encrypted, but does the opposite. This complicates the interaction with other programs wishing to use the access database to authenticate. Fortunately there is a way to do it, with the risk involved that the password must be kept clear.
]]>Changing Joomla Authentication Schema to clearTue, 29 Dec 2015 12:03:41 -0500RPM for Postgrey 1.36 in Mageia Cauldronhttp://inside-out.xyz/technology/rpm-for-postgrey-1-36-in-mageia-cauldron.html
http://inside-out.xyz/technology/rpm-for-postgrey-1-36-in-mageia-cauldron.htmlToday I have published in Mageia Cauldron (6) RPMs for Postgrey 1.36. Postgrey is a Postfix policy server implementing greylisting developed by David Schweikert. Greylisting is a new method of blocking significant amounts of spam at the mail server level, but without resorting to heavyweight statistical analysis or other heuristical (and error-prone) approaches. Consequently, implementations are fairly lightweight, and may even decrease network traffic and processor load on your mail server. Greylisting relies on the fact that most spam sources do not behave in the same way as "normal" mail systems. Although it is currently very effective by itself, it will perform best when it is used in conjunction with other forms of spam prevention. For a detailed description of the method, see the Whitepaper. The term Greylisting is meant to describe a general method of blocking spam based on the behavior of the sending server, rather than the content of the messages. Greylisting does not refer to any particular implementation of these methods. Consequently, there is no single Greylisting product. Instead, there are many products that incorporate some or all of the methods described here.

RPM's are available for Mageia Cauldron (6). You can install it if you type urpmi postgrey.

Enjoy!

]]>RPM for Postgrey 1.36 in Mageia CauldronWed, 27 Jan 2016 00:38:40 -0500RPM for C-iCAP Classify 20151104 in Mageia Cauldronhttp://inside-out.xyz/technology/rpm-for-c-icap-classify-20151104-in-mageia-cauldron.html
http://inside-out.xyz/technology/rpm-for-c-icap-classify-20151104-in-mageia-cauldron.htmlToday I have published in Mageia Cauldron (6) RPMs for C-iCAP Classify Modules 20151104. C-ICAP Classify is a module that allows classification (labelling) of web pages, images, (and soon video) based on content. Labels are placed in HTTP Headers. Any PIC-Label META tags are exported into HTTP headers. This allows for creation of very flexible filters according to rules defined by the user, using the ICAP enabled proxy's ACLs. This is NOT a URL filter, so implementing it with sslBump, or similar proxy technologies, makes it very difficult to bypass. The Text classification is done using Fast Hyperspace (based on Hyperspace from CRM114) and/or a Fast Naive Bayes. Image and video (when implemented) use haar feature detection from the OpenCV Library.

RPM's are available for Mageia Cauldron (6). You can install it if you type urpmi c-icap-modules-classify c-icap-modules-classify-training.

Enjoy!

]]>RPM for C-iCAP Classify 20151104 in Mageia CauldronWed, 27 Jan 2016 00:39:05 -0500RPM for C-iCAP 0.4.2 in Mageia Cauldronhttp://inside-out.xyz/technology/rpm-for-c-icap-0-4-2-in-mageia-cauldron.html
http://inside-out.xyz/technology/rpm-for-c-icap-0-4-2-in-mageia-cauldron.htmlToday I have published in Mageia Cauldron (6) RPMs for C-iCAP 0.4.2. C-iCAP is an implementation of an ICAP server. It can be used with HTTP proxies that support the ICAP protocol such as the Squid 3.x HTTP proxy server to implement content adaptation/filtering services.

RPM's are available for Mageia Cauldron (6). You can install it if you type urpmi c-icap-server c-icap-client c-icap-modules c-icap-modules-extra.

Enjoy!

]]>RPM for C-iCAP 0.4.2 in Mageia CauldronWed, 27 Jan 2016 00:39:29 -0500How to generate a SHA512 password for the /etc/shadow file?http://inside-out.xyz/technology/how-to-generate-a-sha512-password-for-the-etc-shadow-file.html
http://inside-out.xyz/technology/how-to-generate-a-sha512-password-for-the-etc-shadow-file.htmlToday in my work, someone forgot the root password of a little appliance. So, the first attempt was trying to go into the grub and get the single user mode. You need to know that this appliance has ClearOS 7, just another fork of RedHat; the issue with ClearOS is the initrd image does not include any USB modules, and because it is an appliance, USB were not recognized.

Next approach (and the one it worked) was to use a live USB key to boot, mount the root partition and change the /etc/shadow file. For this, I used Mageia (as you know, I am Mageia contributor), I downloaded the ISO image and burn it into a USB key. So far all was working, but here is where it became interesting.

ClearOS 7 only supports SHA512 crypt hash for its passwords in /etc/shadow. I did try with blowfish before, without success. You can recognize SHA512 hashes because they start with $6$. So, to generate a hash, I found the solution is by typing this command python3 -c 'import crypt; print(crypt.crypt("YOUR_PASSWORD", crypt.mksalt(crypt.METHOD_SHA512)))' , then edit the shadow file and substitute the hash. You are done.

Mageia live 5 comes with Python pre-installed, so this command will work out of the box. You are done.

Enjoy!

]]>How to generate a SHA512 password for the /etc/shadow file?Mon, 01 Feb 2016 12:50:26 -0500RPM for suPHP 0.7.2http://inside-out.xyz/technology/rpm-for-suphp-0-7-2.html
http://inside-out.xyz/technology/rpm-for-suphp-0-7-2.htmlToday, I published in OKay's RPM repository RPMs for suPHP 0.7.2. suPHP is a tool for executing PHP scripts with the permissions of their owners. It consists of an Apache module (mod_suphp) and a setuid root binary (suphp) that is called by the Apache module to change the uid of the process executing the PHP interpreter.

SuPHP is needed if you want to install ISPConfig3 and other php management software. With suPHP you will be able to allow run each PHP scripts under a single username instead of running everything under apache user. So, as you may think, a faulty PHP script will be isolated!

RPM's are available for Centos 6 and 7. And you can find it if you type yum search mod_suphp.

Enjoy!

]]>RPM for suPHP 0.7.2Sun, 06 Mar 2016 11:55:00 -0500RPM for SNIProxy 0.4.0 in Mageia Cauldronhttp://inside-out.xyz/technology/rpm-for-sniproxy-0-4-0-in-mageia-cauldron.html
http://inside-out.xyz/technology/rpm-for-sniproxy-0-4-0-in-mageia-cauldron.htmlToday I have published in Mageia Cauldron (6) RPMs for SNIProxy 0.40. Proxies incoming HTTP and TLS connections based on the hostname contained in the initial request of the TCP session. This enables HTTPS name-based virtual hosting to separate backend servers without installing the private key on the proxy machine.

RPM's are available for Mageia Cauldron (6). You can install it if you type urpmi sniproxy.

Enjoy!

]]>RPM for SNIProxy 0.4.0 in Mageia CauldronSat, 26 Mar 2016 18:39:51 -0400RPM for GLD 1.7http://inside-out.xyz/technology/rpm-for-gld-1-7.html
http://inside-out.xyz/technology/rpm-for-gld-1-7.htmlAfter working on this package some hours, I finally got a decent version ready to work. Today, I published in OKay's RPM repository RPMs for GLD 1.7. GLD is a greylisting daemon with database capabilities that interacts with Postfix. GLD can be used as the first defense against SPAM. You will see a great performance on your mail server and a significant diminution of SPAM.

This RPM is compiled with MySQL support, but you can recompile it with Postgresql if you prefer. GDL needs you create your database (schemas are stored in the documentation directory) and you will need to configure its configuration file to tell it where to point. After that, a simple line in your postfix main.cf file will make the magic. I will write soon an article how to enable the greylisting with Postfix.

Big advantage using GDL instead other greylisting daemons is that it is written in C. This means that processing is not only fast, but memory consumption is really small.

RPM's are available for Centos 6 and 7. And you can find it if you type yum search gld.

Enjoy!

]]>RPM for GLD 1.7Wed, 30 Mar 2016 23:18:18 -0400Making your Server more tolerant to Joomla DDoShttp://inside-out.xyz/technology/making-your-server-more-tolerant-to-joomla-ddos.html
http://inside-out.xyz/technology/making-your-server-more-tolerant-to-joomla-ddos.htmlToday suddenly one of my servers started to alarm from nothing, database went down and apache started to fork like crazy. All was chaos in minutes! After looking at what was happening I found that there was a DDoS against one of my websites hosted on that server.

Problem was that the Joomla is configured to show default web page if a 404 answer is sent. This is a good technique if you are looking forward to enhancing the user experience, but in this case, it fired back. Each time the default page was shown, Joomla generates the subsequent SQL queries. And in a massive load, this drives to run out of memory.

In this case, this DDoS was trying to look for the administrator logging in a blindly way. It was adding /administrator/ to all URL's. I figure out a solution by editing my .htaccess file. Here it is how I did it.

]]>Making your Server more tolerant to Joomla DDoSWed, 06 Apr 2016 22:00:58 -0400Stop External Referrals with .htaccess Filehttp://inside-out.xyz/technology/stop-external-referrals-with-htaccess-file.html
http://inside-out.xyz/technology/stop-external-referrals-with-htaccess-file.htmlHTTP (and HTTPS as well) has a referral header. This header allows the log analyzers to trace where the request is coming from. So, if you need to stop external referrals, this is the way to do it.

This will deliver the file 1px.gif to all queries who are coming outside of inside-out.xyz domain.

Please take in mind that this can backfire, and it depends on your environment to use it or not. It can save you lot of bandwidth (which it protects your availability), but it can harm your SEO.

Enjoy!

]]>Stop External Referrals with .htaccess FileThu, 14 Apr 2016 13:20:51 -0400Block a URL with a Specific Pattern with .htaccess Filehttp://inside-out.xyz/technology/block-a-url-with-a-specific-pattern-with-htaccess-file.html
http://inside-out.xyz/technology/block-a-url-with-a-specific-pattern-with-htaccess-file.htmlThese are basic requests, but just in case, it is important you place them. You don't know if the software you are running is buggy or not.

]]>Block a URL with a Specific Pattern with .htaccess FileThu, 14 Apr 2016 14:23:01 -0400ISO 27000 ISMS Implementation and Certification Processhttp://inside-out.xyz/technology/iso-27000-isms-implementation-and-certification-process.html
http://inside-out.xyz/technology/iso-27000-isms-implementation-and-certification-process.htmlThe ISO 27000 is a generic way to call a set of ISO standards about a security. In this article, I am going to describe how we did in one of my jobs to get the Certification for the Information Security Management System specified in the ISO 27001 (and it is closely linked with ISO 27002).

First, we need to describe and make clear what is a Management System. According to ISO, a Management System is a set of procedures an organization needs to follow in order to meet its objectives. The use of a well deployed Management Systems warrants that every request, incident, issue (or any name you want to put) will be processed always the same way with the same established quality. A Management System uses what it is called the Deming Cycle which it states a continuous improvement of all processes involved.

Another concept we need to establish before starting to tell this tale is what is a process. For me, a process is a sequence of interdependent and linked procedures which, at every stage, consume one or more resources (employee, time, energy, machines, money, etc) to convert inputs (data, material, parts, etc) into outputs. These outputs then serve as inputs for the next stage until a known goal or end result is reached. I won't cover in this article how to document a process, but don't lose the idea that you will need to document. The ISMS is all about documenting and keeping records, and not only the ISMS, any management system in general.

So, when you start defining your ISMS take in mind that you will need to back up all your statements. You will need the use of Security & Vulnerability Assessments or in the worst case a letter from the CEO accepting involved risks. The CEO is the ultimate responsible of the ISMS. We will talk about that later.

The asset is just another concept it comes to my mind. For me, an asset is anything that has a value to the business. An asset has a value property that will play a crucial role in this process. I will talk about that later.

Ah! before I forget. If you are pursuing the ISO 27001 certification, you must know that certification is given to an organization with a specific business process.

With this concepts, I will start telling what happened those glory days.

]]>ISO 27000 ISMS Implementation and Certification ProcessTue, 07 Jun 2016 17:08:58 -0400HAProxy for MySQL/MariaDB Load Balance and High Availability Clusterhttp://inside-out.xyz/technology/haproxy-for-mysql-mariadb-load-balance-and-high-availability-cluster.html
http://inside-out.xyz/technology/haproxy-for-mysql-mariadb-load-balance-and-high-availability-cluster.htmlAfter you have already setup your MySQL or MariaDB cluster in master-master mode, the next step is to know how to put this in high availability or load balance scheme. One of the many software you can use for this is the HAProxy project. HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments. Indeed, it can: route HTTP requests depending on statically assigned cookies, spread load among several servers while assuring server persistence through the use of HTTP cookies, switch to backup servers in the event of a main server fails, accept connections to special ports dedicated to service monitoring, stop accepting connections without breaking existing ones, add, modify, and delete HTTP headers in both directions, block requests matching particular patterns, report detailed status to authenticated users from a URI intercepted by the applications.

So, I will explain how I did this configuration.

]]>HAProxy for MySQL/MariaDB Load Balance and High Availability ClusterWed, 10 Aug 2016 03:09:20 -0400Layer 3 Controls vs Layer 7 Exposures: The fail2ban Casehttp://inside-out.xyz/technology/layer-3-controls-vs-layer-7-exposures-the-fail2ban-case.html
http://inside-out.xyz/technology/layer-3-controls-vs-layer-7-exposures-the-fail2ban-case.htmlIT Security is not a simple area. You need more than knowing how to configure a firewall rule. Indeed, in my opinion, you must have a depth knowledge of the network stack (TCP and ISO), details about the involved protocols (IP headers, HTTP headers, LDAP authentication just to mention some) and configuration details of the operative system, the involved software (knowing MariaDB options if you are doing database security) and any other theoretical concept about your environment. And this is only for the technical part.

If you want to go further, you should understand security concepts such as risk, vulnerability, exposure, control and others.

At this point, you can have a clear vision about what is the best doing in your strategy. With all this said, I will talk about a classic error when taking calls about implementing security controls.

A Firewall is not always the Solution of Everything

First, I must say for me a proxy is not considered a firewall. Some authors state that a proxy can be considered a layer 7 firewall. In this article, a firewall could be a Netscreen device, a Checkpoint or an IPTables in Linux. A proxy is something like Squid or even better a mod_security for Apache. The big difference is the layer where they operate. Firewalls work on layer 2, 3 and 4; the maximum control you can have by controlling the port. Some firewalls, like IPTables, try to work around this with the string module, where you can put some criteria based on the payload, but again, they don't understand the protocol, it is just a dummy machine hitting a blind condition. Proxies, on the other hand, they operate on layer 7; they fully understand the protocol. Squid is an excellent example. Squid can understand the HTTP protocol and you can create rules based on HTTP elements such as authenticated user, the path of the files, POST payload, cookies and many other things.

]]>Layer 3 Controls vs Layer 7 Exposures: The fail2ban CaseFri, 05 May 2017 01:03:41 -0400Conecting to a RDS such as Azure's, AWS' or Google'shttp://inside-out.xyz/technology/conecting-to-a-rds-such-as-azure-s-aws-or-google-s.html
http://inside-out.xyz/technology/conecting-to-a-rds-such-as-azure-s-aws-or-google-s.htmlRDS services are becoming very common now. Big players like AZURE, Amazon (AWS) or Google are ofering them. They are very handy, you get rid of scalability problems and you only focus on your database management.

One of the features you will find, as I did, in these new services is the enforced security. Which it is good, as the information traves through the Internet. Bad thing is not every system is aware of using TLS/SSL connections. I will talk how i did it in my cases.

]]>Conecting to a RDS such as Azure's, AWS' or Google'sTue, 30 May 2017 13:26:15 -0400Configure Basic Authentication within the .htaccess Apache Filehttp://inside-out.xyz/technology/configure-basic-authentication-within-the-htaccess-apache-file.html
http://inside-out.xyz/technology/configure-basic-authentication-within-the-htaccess-apache-file.htmlAgain, this is almost a copy & paste recipe. This configuration will allow you to ask for a password to access a specific directory published through HTTP. It is very handy and I am using it very often, so it worths having it in an article.
]]>Configure Basic Authentication within the .htaccess Apache FileWed, 31 May 2017 16:12:01 -0400Configuring fail2ban to resist SSH Brute Attackshttp://inside-out.xyz/technology/configuring-fail2ban-to-resist-ssh-brute-attacks.html
http://inside-out.xyz/technology/configuring-fail2ban-to-resist-ssh-brute-attacks.htmlAs I have already written, fail2ban is an excellent tool to fill the gap between layer 7 exposures and layer 3 controls. One of the most common configuration you will need to do is the SSH protection against brute attacks. Some security experts recommend moving SSH out of port 22/tcp, but in my opinion, that is not a good idea. You are just filling a hole by doing a new one. Anyone can do a port scan with Nmap and find the new port.

Because of this, I will give a recipe here. Note that I have tested without using the firewalld daemon.

]]>Configuring fail2ban to resist SSH Brute AttacksTue, 16 Jan 2018 10:24:38 -0500Taking the Hardening of FusionPBX / FreeSWITCH furtherhttp://inside-out.xyz/technology/taking-the-hardening-of-fusionpbx-freeswitch-further.html
http://inside-out.xyz/technology/taking-the-hardening-of-fusionpbx-freeswitch-further.htmlIf you have installed FusionPBX from the installation scripts you will notice it has already some fail2ban configurations. If you are using my RPM's, it doe not include any kind of this configuration as my philosophy is to specialize the package to do one thing, not a do-it-all. Anyway, if you are only using FusionPBX with FreeSWITCH as a personal PBX those rules should be more than enough.

If you are being more serious about your PBX or you are running a business you will find at one point those rules are not enough. I will explain myself a little more. As a commercial service, your exposure to the world is bigger; your domain is advertised, telephones do DNS, HTTP and SIP request to your servers and sooner than later you will start getting your first kiddy scripts targeting your servers. As you grow, you will find your customers are far to be technical; they do many dumb things (wrong password because they changed something on the service or inside jobs from tech staff are some examples) which it leads to fail2ban rule applications.

There is nothing more harmful than a bad review from an ignorant customer. They do not know why they are being blocked. So, here is where we need to tun fail2ban and add some important information to pre-block offending IP's.

]]>Taking the Hardening of FusionPBX / FreeSWITCH furtherThu, 25 Jan 2018 15:44:14 -0500My Proposal about how to protect your VoIP Customers against Caller ID Spoofinghttp://inside-out.xyz/technology/my-proposal-about-how-to-protect-your-voip-customers-against-caller-id-spoofing.html
http://inside-out.xyz/technology/my-proposal-about-how-to-protect-your-voip-customers-against-caller-id-spoofing.htmlThanks to the VoIP we can link remote places and communicate with us at the lowest cost possible. VoIP companies know that, and it is one of the biggest reasons why this industry has been growing.

If you are already educated about VoIP, you have for sure read about SIP and RTP. There are other protocols, but I will focus on these two as they are the most common. The SIP is used to do the signalling while the RTP carriers the sound; SIP has many functions in the VoIP but the main one is the related to the INVITE action. The INVITE action is the one responsible to initiate the calls, it carriers all details about the call, including the Caller ID Number.

Sadly for use, the SIP does not provide any mechanism to prevent spoofing the Caller ID. This means I could (but I will not) call someone and act on someone behalf from the Parliament of Canada by setting my Caller ID to 1 866 599 4999. If you do a little search, you will find there are many frauds. Many of them related to revenue agencies.

The Government of Canada through its telecommunication body, the Canadian Radio-television and Telecommunications Commission, recognizes this danger and it has published a communicate about Measures to reduce caller identification spoofing and to determine the origins of nuisance calls.

The CRTC suggest the use of STIR and SHAKEN; however, in my experience, I believe this is not enough and it is just a poor try to cover the real risk. I will explain my line of thinking.

]]>My Proposal about how to protect your VoIP Customers against Caller ID SpoofingSat, 27 Jan 2018 17:52:59 -0500How DNS Tunneling Workshttp://inside-out.xyz/technology/how-dns-tunneling-works.html
http://inside-out.xyz/technology/how-dns-tunneling-works.htmlDNS tunnelling is just another tunnelling technique. Usually, it is called VPN over DNS too, it is just naming. What it makes it very popular is that not all carriers or network administrators are aware of it or if they are, they don't know exactly how to stop it. Rogers, one of the biggest telecommunication carrier in Canada and Telcel the biggest player of mobile telephony in Mexico, both allow DNS tunnelling (I don't doubt others carriers do as well), so when you run out of data in your plan you can still connect if you configure it in your mobile. This is because smartphones need to connect to some carrier servers regardless if you have right to 2G/3G/4G data access or not; smartphones still have access to the local DNS server. Local networks have the same symptom because DNS is used to access many IT services like the Active Directory, it is very difficult to differentiate between a true legitimate DNS query and DNS tunnelling traffic without proper tools.